Microsoft Targets Shadow AI and Agent Sprawl with New Entra Agent ID Preview

Microsoft is modernizing identity management for the AI age with the public preview of Entra Agent ID. The capability offers organizations deeper visibility and full lifecycle oversight of AI agents to reduce risk and strengthen governance.

Microsoft first announced the initial preview of its Entra Agent ID in May 2025. However, most companies didn’t realize how many AI agents were already operating in their environments, which poses hidden security and governance risks.

A recent Microsoft study showed that administrators using the Conditional Access Optimization Agent within Entra completed critical tasks about 43% faster and with nearly 50% better accuracy. It also helped identify missing baseline security policies more than twice as effectively, with a 204% improvement in detection.

Microsoft Entra Agent ID is an enterprise-grade solution designed to manage the growing number of AI agents in business environments. It provides a centralized way to register, track, and govern each agent with a unique identity to ensure automatic compliance with organizational security policies.

The solution also introduces lifecycle governance, which allows IT teams to define guardrails for both agents and the people managing them. This enforces least-privilege access and compliance throughout the agent’s lifespan, including conditional access controls, traffic inspection, and the ability to block risky agents or interactions with malicious resources.

New AI-powered security features in public preview

The public preview adds protections against emerging AI security threats, including prompt injection protection, network file filtering, and controls to restrict unauthorized access to Model Context Protocols (MCP). Microsoft Entra Agent ID also detects shadow AI to give security teams visibility into unsanctioned AI tools, monitor usage trends, and enforce policies to block non-compliant services. Other features include user-centric access reviews, risk-based approvals, threat intelligence, URL filtering, and secure guest access.

Microsoft Entra Agent ID is available in preview through Microsoft Agent 365 and integrates with tools like Copilot Studio, Microsoft Foundry, and Security Copilot, with support for developers using Microsoft’s Agent Framework and SDKs.

AI-powered Security Copilot Agents

The new AI-powered Security Copilot agents enable organizations to automate identity and access security tasks. Each agent receives a unique, governed identity and specialized management tools. These include the Conditional Access Optimization Agent, the Access Review Agent for user and app access suggestions, the Identity Risk Management Agent for real-time anomaly monitoring, and the App Lifecycle Management Agent to audit, onboard, manage, and decommission apps systematically.

Microsoft Entra Internet Access and other updates

Microsoft Entra Internet Access preview capabilities secure generative AI usage at the network level, including real-time protection against prompt injection attacks and expanded traffic visibility. The integration with Microsoft Purview enables organizations to detect and block sensitive data before it is sent to AI or SaaS applications.

Lastly, Microsoft Entra ID is also rolling out identity-focused features to reduce phishing and impersonation risks. These include synced passkey support, simplified passkey management, enhanced risk detection, and secure self-service account recovery using Verified ID Face Check and government-issued IDs.